The University of Texas M.D. Anderson Cancer Center announced last Friday that it had yet another data breach this year. According to the Houston Chronicle, on the 13 July, an unencrypted thumb drive containing the names, birth dates, medical record numbers, and health information on 2200 patients had been lost by a medical student on a shuttle bus. The only "good news" is that the thumb drive did not contain anyone’s Social Security information or financial data.
In April, an unencrypted laptop containing information on some 30 000 M.D. Anderson Cancer Center patients was stolen from a faculty member’s home. The information included patient names, Social Security numbers, as well as detailed medical information on at least 10 000 patients, the Chronicle reported. As a result of the theft, the Cancer Center embarked on encrypting the information on over 26 000 computers.
What is interesting is that back in November of 2006, the Chronicle reported on a laptop that contained patient insurance claim information (including "patients' names, policy numbers, Social Security numbers, dates of birth, ZIP codes, medical procedures, and dates of service") on 4000 M.D. Anderson patients being stolen out of the home of an employee of PricewaterhouseCooper. The PWC employee was involved in reviewing patient insurance claims.
In the latter case, the information on the laptop was strongly encrypted. For whatever reason, the security executives at M.D. Anderson didn’t take that incident as a warning that maybe they should do the same for their own laptops and thumb drives—an opportunity missed.
BTW, a statement by M. D. Anderson on the latest incident says that it, “deeply regrets that this incident has occurred,” and that it is now buying encrypted thumb drives “for distribution to employees who handle sensitive data.”
According to a records search of the Privacy Rights Clearinghouse, which keeps a running tab on data breaches and the like, so far this year 387 357 medical-related records have been compromised in 68 reported incidents involving lost, discarded or stolen laptop, PDA, smartphone, portable memory device, CD, hard drive, data tape, etc. Last year there were 66 such breaches with 6 130 630 records compromised.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.